Further Reading

Two major supermarket chains announced that their customers' credit card information may have been stolen during a network intrusion.

SuperValu, the Minnesota parent company of Cub Foods, Farm Fresh, Hornbacher’s, Shop ’n Save, and Shoppers Food and Pharmacy, announced that 180 stores in North Carolina, Maryland, Virginia, Illinois, Missouri, North Dakota, and Minnesota were affected.

"The Company has not determined that any such cardholder data was in fact stolen by the intruder, and it has no evidence of any misuse of any such data, but is making this announcement out of an abundance of caution," SuperValu said in a statement Friday.

Meanwhile, AB Acquisition LLC, the parent company of Albertsons and Jewel-Osco, said in a Thursday statement:

Third-party data forensics experts are supporting an ongoing investigation. AB Acquisition has not determined that any cardholder data was in fact stolen, and currently it has no evidence of any misuse of any such data.

…

Based on information we have at this time, Albertsons stores in Arizona, Arkansas, Colorado, Florida, Louisiana, New Mexico, Texas and our two Super Saver Foods Stores in Northern Utah were not impacted by this incident. However, Albertsons stores in Southern California, Idaho, Montana, North Dakota, Nevada, Oregon, Washington, Wyoming and Southern Utah were impacted. In addition, ACME Markets in Pennsylvania, Maryland, Delaware and New Jersey; Jewel-Osco stores in Iowa, Illinois and Indiana; and Shaw’s and Star Markets stores in Maine, Massachusetts, Vermont, New Hampshire and Rhode Island were all impacted by this incident.

AB Acquisition LLC also said that SuperValu provides its IT services, which probably means that the Minnesota-based corporation was the primary breach. SuperValu had been the previous owner of the Albertsons chain. Albertsons was sold to Cerberus Capital Management in 2006, which then also acquired the Safeway chain in 2014.

The firms did not say precisely how such data was taken, but given the recent spate of point-of-sale hacks at Target and other major retailers, the point-of-sale systems would be a likely attack vector. Earlier this month, a Wisconsin-based security firm reported that 1.2 billion usernames and passwords had been captured by a Russian criminal group.

Further Reading

In their statement, SuperValu wrote that the company "took immediate steps to secure the affected part of its network."

"Supervalu believes the intrusion has been contained and is confident that its customers can safely use their credit and debit cards in its stores," the company stated.

If the credit card data was indeed stolen, it likely would turn up on underground markets for sale.

As Ars reported in December 2013, the stolen credit card information from Target was flooding such websites frequented by criminals, who paid as much as $100 per card. Journalist Brian Krebs reported that the information was "selling in batches of one million cards and going for anywhere from $20 or more than $100 per card."